Hi Sai, Do you have any other recommendation for better solution, please advice.
Thank you. From: CE Ang > ----- Original Message ----- > From: AngChorEng > To: [email protected] > Sent: Monday, January 29, 2007 3:51 PM > Subject: Fw: [pfSense Support] Pfsense load balancer > and fail over for outgoing traffic > > > Hi Sai, > > Yes, from Internet --> pfSense ----> Netscreen ----> > Lan, DMZ, > > For DMZ internal server, it is still ok to use > static route. the traffic can be routed in only > using one layer port mapping from PFSENSE instead of > two layer of port mapping, however, for LAN, static > route is not recommended because of port mapping is > still preference for security concern, please > correct me if i am wrong > > My main concern is , i do have one OPENVPN server > (IPCOP)sitting after the netscreen firewall which is > using port mapping method, the authentication is > taken place after going through the netscreen with > allow port 1194, let me explain my existing senario > and workflow, from Internet --> pfSense ----> > Netscreen ----> Cisco core switch 4507R------>VLAN > server farm( IPCOP OPEN VPN), it is how my remote > user like senior manager, CEO get access to company > resource. below is the option for your review, > > Solution 1) Actually, i am thinking to replace my > netscreen firewall to IPCOP( we called it IPCOP A), > and migrate the exisiting OPEN VPN policy from the > box to IPCOP A, that would be centralize as whole, > with the new workflow, from Internet --> pfSense > ----> IPCOP A plus OPEN VPN---------> LAN in multi > vlan > > Solution 2) Alternatively, pfSense ----> Netscreen > ----> Cisco core switch--------> VLAN server farm( > OPENVPN), but it is require two layer of port > mapping. > > Solution 3) Pfsense-------> Pfsense with > OPENVPN-------> LAN in multi vlan > > if i pick the solution 2, that would be easier for > the implementation, i still can sustain the > netscreen and OPENVPN box and just concentrate on > PFSENSE in front end and port mapping, but, what is > the impact of two layer of port mapping, the reason > is, migrating OPEN VPN policy and replacing a > firewall is a nightmare. now, i am struggling to the > implementation of PFSENSE because of the impact > reflected to the whole network infracstructure, > please advice me if i am wrong, > > Please let me know if i am confusing you, i can > explain it in more detail, Thank you. > > > From: > > CE Ang > > --- sai <[EMAIL PROTECTED]> wrote: > > > Internet --> pfSense ----> Netscreen ----> Lan, > DMZ > > Is this what you mean? > > > > Yes, this can be done. It means that you do > NATting > > twice, which is > > not good, but it is workable. You just need a new > > private subnet > > between the pfSense ----> Netscreen > > > > It might be easier to just replace the Netscreen > so > > that if something > > is messed up you can put the Netscreen back in and > > your network works > > again. > > > > sai > > > > On 1/29/07, AngChorEng <[EMAIL PROTECTED]> > > wrote: > > > > > > > > > Hi Sai, > > > > > > Thanks for your message, i had successfully > > installed the PFSENSE with > > > lastest snap, thank you. > > > > > > By the way, do you come cross a solution with > two > > layer of port mapping via > > > two firewall, let me brief you my network > > infracstructure, so that, you can > > > understand my question, currently, i have one > > netscreen firewall as a front > > > end box to control all the in/out bound of all > the > > traffic even port mapping > > > to internal server by using pulic IP. the reason > > of putting a new box in > > > front of netscreen is to provide load balancer > and > > fail over function with > > > two WAN lines, however, initially, I am having > > some difficulty of > > > implementing the PFSENSE is due to the IP > > addressing restructure, in order > > > to get it done, i have to step ahead by changing > > the outbound netscreen's > > > interface to Private IP, until this stage, > PFSENSE > > becomes the main control > > > of inbound port mapping, with this new design, > do > > u think that is the > > > inbound traffic can be routed via two layer of > > firewall by port mapping > > > method to DMZ and LAN internal server, please > > advice, > > > > > > Sorry for the confusion and long story. please > let > > me know if you need more > > > detail about this, thanks. > > > > > > > > > > > > > > > From: > > > > > > CE Ang > > > > > > > > > --- sai <[EMAIL PROTECTED]> wrote: > > > > > > > the latest snapshots would be here: > > > > > http://snapshots.pfsense.com/FreeBSD6/RELENG_1/ > > > > which have improved > > > > the load balancing user interface. > > > > > > > > On 1/26/07, sai <[EMAIL PROTECTED]> wrote: > > > > > the download mirrors are here: > > > > > > > http://pfsense.com/mirror.php?section=downloads > > > > > > > > > > a copy of the Live iso is here: > > > > > > > > > > > > > > > http://pfsense.basis06.com/download//downloads/pfSense-1.0.1-LiveCD-Installer.iso.gz > > > > > > > > > > md5 of the iso.gz : > > > > > > > > > > > > > > > http://pfsense.basis06.com/download//downloads/pfSense-1.0.1-LiveCD-Installer.iso.gz.md5 > > > > > > > > > > I hope that this is what you were asking for > > > > > > > > > > sai > > > > > > > > > > On 1/26/07, AngChorEng > <[EMAIL PROTECTED]> > > > > wrote: > > > > > > Hi Scott, > > > > > > > > > > > > Thanks for your information, sorry for the > > same > > > > question, do you have any > > > > > > source of address in LIVECD.iso download > for > > my > > > > PFSENSE installation, by > > > > > > using livecd, it is much straight forward > > and > > > > able to run it in trial mode > > > > > > before installing it to hard-disk. please > > > > advice. > > > > > > > > > > > > Thank you. > > > > > > > > > > > > > > > > > > --- Scott Ullrich <[EMAIL PROTECTED]> > === message truncated ===
